Pages

Tuesday, July 7, 2015

CCIE Security 350-018 Quiz and QA - Security Protocols

Quiz: 1 What are the three components of AAA? (Choose the three best answers.)a. Accountingb. Authorizationc. Adaptingd. Authentication

AAA is used for authentication, authorization, and accounting. Answer c is incorrectbecause adapting is not part of the security options available with AAA.2 What IOS command must be issued to start AAA on a Cisco router?a. aaa old-modelb. aaa modelc. aaa new modeld. aaa new-modele. aaa new_model

When using encryption between two routers, the Diffie-Hellman algorithm is used toexchange keys. This algorithm initiates the session between two routers and ensuresthat it is secure. Answer a is incorrect because the routing algorithm is used forrouting, not for encryption. Answer c is incorrect because a switching engine is usedto switch frames and has nothing to do with encryption. Answer d is incorrectbecause the stac compression algorithm is used by PPP; it compresses data on a PPPWAN link.4 Can you configure RADIUS and TACACS+ concurrently on a Cisco IOS router?a. No.b. Yes, provided you have the same lists names applied to the same interfaces.c. Yes, provided you have the different lists names applied to the same interfaces.d. Yes, provided you have the different lists names applied to different interfaces.

List names and interfaces must be different.5 How do you enable a RADIUS server to debug messages for Cisco Secure on a UNIXserver?a. Terminal monitorb. Edit the configuration file on the routerc. Edit the syslog.conf and csu.cfg filesd. Not possible, as UNIX does not run IOS

You can enable debugging on a UNIX host running Cisco Secure by editing thesyslog.confg and csu.cfg files.6 What RADIUS attribute is used by vendors and not predefined by RFC 2138?a. 1b. 2c. 3d. 4e. 13f. 26g. 333h. 33

Attribute 26 is a vendor-specific attribute. Cisco uses vendor ID 9.7 RADIUS can support which of the following protocols?a. PPPb. OSPFc. AppleTalkd. IPXe. NLSP

RADIUS does not deploy TCP.10 What is the RADIUS key for the following configuration? If this configuration is not valid,why isn’t it?aaa authentication login use-radius group radius localaaa authentication ppp user-radius if-needed group radiusaaa authorization exec default group radiusaaa authorization network default group radiusradius-server 3.3.3.3radius-server key IlovemyMuma. IlovemyMumb. Ilovemymumc. This configuration will not work because the command aaa new-model is missing.d. 3.3.3.3

Because aaa new-model is not configured, this is not a valid configuration and norequests will be sent to the RADIUS server.11 What is the RADIUS key for the following configuration?Aaa new-modelaaa authentication login use-radius group radius localaaa authentication ppp user-radius if-needed group radiusaaa authorization exec default group radiusaaa authorization network default group radiusradius-server 3.3.3.3radius-server key IlovemyMuma. IlovemyMumb. Ilovemymumc. This configuration will not workd. 3.3.3.3

The key is case-sensitive; the IOS command, radius-server key IlovemyMum, definesthe key as IlovemyMum.12 What versions of TACACS does Cisco IOS support? (Select the best three answers.)a. TACACS+b. TACACSc. Extended TACACSd. Extended TACACS+

There is no Cisco Extended TACACS+ support.13 TACACS+ is transported over which TCP port number?a. 520b. 23c. 21d. 20e. 4914 What is the predefined TACACS+ server key for the following configuration?radius-server host 3.3.3.3radius-server key CCIEsrocka. 3.3.3.3b. Not enough datac. CCIESROCKd. CCIEsRocke. CCIEsrock

The key is case-sensitive and is defined by the IOS command, radius-server keyCCIEsrock.15 What does the following command accomplish?tacacs_server host 3.3.3.3a. Defines the remote TACACS+ server as 3.3.3.3b. Defines the remote RADIUS server as 3.3.3.3c. Not a valid IOS commandd. 3.3.3.3e. Host unknown; no DNS details for 3.3.3.3 provided

The IOS command to define a remote TACACS+ server is tacacs-server hostip-address.16 Which of the following protocols does TACACS+ support?a. PPPb. AppleTalkc. NetBIOSd. All the above

Kerberos is an application layer protocol defined at Layer 7 of the OSI model.18 What definition best describes a key distribution center when Kerberos is applied to anetwork?a. A general term that refers to authentication ticketsb. An authorization level label for Kerberos principalsc. Applications and services that have been modified to support the Kerberos credentialinfrastructured. A domain consisting of users, hosts, and network services that are registered to aKerberos servere. A Kerberos server and database program running on a network host

The KDC is a server and database program running on a network host.19 What definition best describes a Kerberos credential?a. A general term that refers to authentication ticketsb. An authorization level label for Kerberos principalsc. Applications and services that have been modified to support the Kerberos credentialinfrastructured. A domain consisting of users, hosts, and network services that are registered to aKerberos servere. A Kerberos server and database program running on a network host

A credential is a general term that refers to authentication tickets, such as ticketgranting tickets (TGTs) and service credentials. Kerberos credentials verify theidentity of a user or service. If a network service decides to trust the Kerberos serverthat issued a ticket, it can be used in place of retyping a username and password.Credentials have a default lifespan of eight hours.20 What definition best describes Kerberized?a. A general term that refers to authentication ticketsb. An authorization level label for Kerberos principalsc. Applications and services that have been modified to support the Kerberos credentialinfrastructured. A domain consisting of users, hosts, and network services that are registered to aKerberos servere. A Kerberos server and database program running on a network host

Kerberized refers to applications and services that have been modified to support theKerberos credential infrastructure.21 What definition best describes a Kerberos realm?a. A general term that refers to authentication ticketsb. An authorization level label for the Kerberos principalsc. Applications and services that have been modified to support the Kerberos credentialinfrastructured. A domain consisting of users, hosts, and network services that are registered to aKerberos servere. A Kerberos server and database program running on a network host

The Kerberos realm is also used to map a DNS domain to a Kerberos realm.22 What IOS command enables VPDN in the global configuration mode?a. vpdn-enableb. vpdn enablec. vpdn enable in interface moded. Both a and c are correct

To Enable VPDN in global configuration mode, the correct IOS command is vpdnenable.23 What is the number of bits used with a standard DES encryption key?a. 56 bitsb. 32 bits; same as IP addressc. 128 bitsd. 256 bitse. 65,535 bitsf. 168 bits

DES applies a 56-bit key. The documented time taken to discover the 56-bit key is7 hours on a Pentium III computer, so DES is not a common encryption algorithmused in today’s networks.24 What is the number of bits used with a 3DES encryption key?a. 56 bitsb. 32 bits; same as IP addressc. 128 bitsd. 256 bitse. 65,535 bitsf. 168 bits

Triple DES (3DES) is today’s standard encryption with a 168-bit key.25 In IPSec, what encapsulation protocol only encrypts the data and not the IP header?a. ESPb. AHc. MD5d. HASHe. Both a and b are correct

ESP only encrypts the data, not the IP header.26 In IPSec, what encapsulation protocol encrypts the entire IP packet?a. ESHb. AHc. MD5d. HASHe. Both a and b are correct

AH encrypts the entire IP packet. The time to live (TTL) is not encrypted becausethis value decreases by one (1) every time a router is traversed.27 Which of the following is AH’s destination IP port?a. 23b. 21c. 50d. 51e. 500f. 444

The AH destination port number is 51.28 Which of the following is ESP’s destination IP port?a. 23b. 21c. 50d. 51e. 500f. 444

The ESP destination IP port number is 50.29 Which of the following is not part of IKE phase I negotiations?a. Authenticating IPSec peersb. Exchanges keysc. Establishes IKE securityd. Negotiates SA parameters

Aggressive mode is faster than Main mode but is less secure. They can both occurin Phase I. Phase II only has Quick mode. Fast mode does not exist in the IPSecstandard set of security protocols.32 Certificate Enrollment Process (CEP) runs over what TCP port number? (Choose the besttwo answers.)a. Same as HTTPb. Port 80c. Port 50d. Port 51e. Port 333f. Port 444

CEP uses the same port as HTTP, port 80.Q & A1 Define the AAA model and a typical application on a Cisco IOS router.Answer: Authentication, authorization, and accounting (pronounced triple A)provides security to Cisco IOS routers and network devices beyond the simple userauthentication available on IOS devices.AAA provides a method to identify which users are logged into a router and eachuser’s authority level. AAA also provides the capability to monitor user activity andprovide accounting information.Typically, AAA is used to authenticate and authorize Cisco IOS commands, andprovides accounting information to the network administrator.2 Can you allow a remote user authorization before the user is authenticated with AAA?Answer: Before authorization occurs, the remote user must be authenticated. CiscoIOS routers allow you to configure AAA authorization, but no access will bepermitted until the remote user is authenticated.3 What IOS command is required when enabling AAA for the first time?Answer: aaa new-model must be entered globally before additional IOS commandsare entered.4 What is the privilege level of the following user? Assume AAA is not configured.R2>Answer: The privilege level ranges from 0 to 15 (the higher the level, the morecommands are available). Because the user is not in PRIV exec mode, the defaultprivilege level for an EXEC user is 1. Only basic show commands are available inpriv level 1.R2>show privCurrent privilege level is 15 Define four possible RADIUS responses when authenticating the user through a RADIUSserver.Answer: The four possible responses are as follows:• ACCEPT—The user is authenticated.• REJECT—The user is not authenticated and is prompted to reenter theusername and password, or access is denied. The RADIUS server sends thisresponse when the user enters an invalid username/password pairing.• CHALLENGE—The RADIUS server issues a challenge. The challenge collectsadditional data from the user.• CHANGE PASSWORD—The RADIUS server issues a request asking the userto select a new password.6 What are RADIUS attributes? Supply five common examples.Answer: RADIUS supports a number of predefined attributes that can be exchangedbetween client and server, such as the client’s IP address. RADIUS attributes carryspecific details about authentication.RFC 2138 defines a number of RADIUS predefined attributes.The following bulleted lists provides details from the most common attributes:• Attribute type 1—Username (defined usernames can be numeric, simple ASCIIcharacters, or an SMTP address)• Attribute type 2—Password (defines the password; passwords are encryptedusing MD5)• Attribute type 3—CHAP Password (only used in access-request packets)• Attribute type 4—NAS IP address (defines the NAS server’s IP address; onlyused in access-request packets)• Attribute type 5—NAS port (not UDP port number); and indicates that theNAS’s physical port number ranges from 0 to 65535• Attribute type 6—Service-type (type of service requested or type of service tobe provided); for Cisco devices is Callback and is not supported• Attribute type 7—Protocol (defines what framing is required; for example, PPPis defined when this attribute is set to 1, SLIP is 2)• Attribute type 8—IP address (defines the IP address to be used by theremote user)• Attribute type 9—IP subnet mask (defines the subnet mask to be used by theremote user)• Attribute type 10—Routing• Attribute type 13—Compression• Attribute type 19—Callback number• Attribute type 20—Callback ID• Attribute type 26—Vendor-specific (Cisco [vendor-ID 9] uses one definedoption, vendor type 1, named cisco-avpair)7 What protocols does RADIUS use when sending messages between the server and client?Answer: RADIUS transports through UDP destination port number 1812.8 What predefined destination UDP port number is RADIUS accounting information sent to?Answer: UDP port 16469 What does the following command accomplish on a Cisco IOS router?aaa authentication ppp user-radiusif-needed group radiusAnswer: The aaa authentication ppp user-radius if-needed group radius commandconfigures the Cisco IOS software to use RADIUS authentication for lines using PPPwith CHAP or PAP, if the user has not already been authorized. If the EXEC facilityhas authenticated the user, RADIUS authentication is not performed. User-radius isthe name of the method list that defines RADIUS as the if-needed authenticationmethod.10 What is the RADIUS server IP address and key for the following configuration?radius-server host 3.3.3.3radius-server key GuitarsrocKthisplaneTAnswer: The radius-server host command defines the RADIUS server host’s IPaddress. The IP address is 3.3.3.3.The radius-server key command defines the shared secret text string between theNAS and the RADIUS server host. The key is case-sensitive like all passwords onCisco IOS devices, so the key is defined as GuitarsrocKthisplaneT.11 TACACS+ is transported over what TCP destination port number?Answer: TCP port 4912 What information is encrypted between a Cisco router and a TACACS+ server?Answer: All data communication between TACACS+ devices is encrypted, excludingthe IP header.13 What are the four possible packet types from a TACACS+ server when a user attempts toauthenticate a Telnet session to a Cisco router configured for AAA, for example?Answer: The four packets types are as follows:• ACCEPT—The user is authenticated and service can begin. If the networkaccess server is configured to require authorization, authorization will begin atthis time.• REJECT—The user has failed to authenticate. The user can be denied furtheraccess or will be prompted to retry the login sequence, depending on theTACACS+ daemon.• ERROR—An error occurred at some time during authentication. This can beeither at the daemon or in the network connection between the daemon and theNAS. If an ERROR response is received, the network access server typicallytries to use an alternative method for authenticating the user.• CONTINUE—The user is prompted for additional authentication information.14 What is the significance of the sequence number in the TACACS+ frame format?Answer: The sequence number is the number of the current packet flow for thecurrent session. The sequence number starts with 1 and each subsequent packet willincrement by one. The client only sends odd numbers. TACACS+ servers only sendeven numbers.15 What does the following IOS command accomplish?aaa authentication ppp default if-needed group tacacs+ localAnswer: The aaa authentication command defines a method list, “default,” tobe used on serial interfaces running PPP. The keyword default means that PPPauthentication is applied by default to all interfaces. The if-needed keyword meansthat if the user has already authenticated through the ASCII login procedure, PPPauthentication is not necessary and can be skipped. If authentication is needed, thekeyword group tacacs+ means that authentication will be done through TACACS+.If TACACS+ returns an ERROR during authentication, the keyword local indicatesthat authentication will be attempted using the local database on the NAS.16 What IOS command defines the remote TACACS+ server?Answer: To define the TACACS+ server, the IOS command is tacacs-server host ipaddress.17 What are the major difference between TACACS+ and RADIUS?Answer: The following are difference between RADIUS and TACACS+Packet delivery : UDP TCPPacket encryption : RADIUS encrypts only the password in the accessrequest packet, from the client to the server.TACACS+ encrypts theentire body of the packet,but leaves a standard TACACS+ header.AAA support:RADIUS combines authentication and authorization.TACACS+ uses the AAA architecture, separating authentication, authorization,and accounting.Multiprotocol support:None.TACACS+ supports other protocols, such as AppleTalk, NetBIOS, and IPX.Router management:RADIUS does not allow users to control which commands can be executed on a router.TACACS+ allows network administrators control over which commands can be executed on a router.18 Kerberos is a third-party authentication protocol operating at what layer of the OSImodel?Answer: Kerberos is an application layer protocol, which operates at Layer 7 of theOSI model.19 What delivery methods and destination ports does Kerberos support?Answer: Kerberos supports both TCP and UDP, including the following portnumbers:• TCP/UDP ports 88, 543, and 749• TCP ports 754, 2105, and 444420 What does the Kerberos realm define?Answer: A Kerberos realm defines a domain consisting of users, hosts, and networkservices that are registered to a Kerberos server. The Kerberos server is trusted toverify the identity of a user or network service to another user or network service.Kerberos realms must always be in uppercase characters.21 Applications that have been modified to support Kerberos credential infrastructures areknown as what?Answer: Kerberized.22 Define the two steps required in an L2F connection terminating a PPP connection?Answer: For L2F, the setup for tunneling a PPP session consists of two steps:Step 1 Establish a tunnel between the NAS and the Home Gateway(HWY). The HWY is a Cisco router or access server (for example,an AS5300) that terminates VPDN tunnels and PPP sessions. Thisphase takes place only when no active tunnel exists between bothdevices.Step 2 Establish a session between the NAS and the Home Gateway.23 Define the two steps for setting up L2TP for tunneling a PPP connection.Answer: For L2FP, the setup for tunneling a PPP session consists of two steps:Step 1 Establish a tunnel between the LAC and the LNS. The LAC is anL2TP access concentrator that acts as one side of the L2TP tunnelendpoint and has a peer to the L2TP network server or LNS. Thisphase takes place only when no active tunnel exists between bothdevices.Step 2 Establish a session between the LAC and the LNS.24 What are the steps taken for a VPDN connection between a remote user and aremote LAN?Answer: A VPDN connection between a remote user (router or via PSTN) and theremote LAN is accomplished in the following steps:Step 1 The remote user initiates a PPP connection to the ISP using theanalog telephone system or ISDN.Step 2 The ISP network access server accepts the connection.Step 3 The ISP network access server authenticates the end user with CHAP orPAP. The username determine whether the user is a VPDN client. If the useris not a VPDN client, the client accesses the Internet or other contactedservice.Step 4 The tunnel endpoints—the NAS and the home gateway—authenticate eachother before any sessions are attempted within a tunnel.Step 5 If no L2F tunnel exists between the NAS and the remote users’ homegateway, a tunnel is created. Once the tunnel exists, an unused slot withinthe tunnel is allocated.Step 6 The home gateway accepts or rejects the connection. Initial setup caninclude authentication information required to allow the home gateway toauthenticate the user.Step 7 The home gateway sets up a virtual interface. Link-level frames can nowpass through this virtual interface through the L2F or L2TP tunnel.25 What are the three most common threats from intruders that network administrators face?Answer: The most common attacks are as follows:• Packet snooping (also known as eavesdropping)—When intruders capture anddecode traffic obtaining usernames, passwords, and sensitive data, such assalary increases for the year.• Theft of data—When intruders use sniffers, for example, to capture data overthe network and steal that information for later use.• Impersonation—When an intruder assumes the role of a legitimate device but,in fact, is not legitimate.26 What does the Digital Signature standard providesAnswer: DSS is a mechanism that protects data from an undetected change whiletraversing the network. DSS verifies the identity of the person sending the data justas you verify your license signature to the bank manager.27 What is hash in encryption terminology?Answer: A hash is defined as the one-way mathematical summary of a message(data) such that the hash value cannot be easily reconstructed back into the originalmessage.28 Name the two modes of operation in IPSec and their characteristics.Answer: The two modes are transport and tunnel mode.• Transport mode—Protects payload of the original IP datagram; typically usedfor end-to-end sessions.• Tunnel Mode—Protects the entire IP datagram by encapsulating the entiredatagram in a new IP datagram.29 What does IKE accomplish?Answer: IKE negotiates and provides authenticated keys in a secure manner. IKEwas developed by the company previously known as ISAKMP Oakley KeyResolution.30 Certificate Enrollment Protocol is transported over what TCP port?Answer: CEP is transported over TCP port 80 (same as HTTP).